Microsoft hobbles app installer to protect Windows users from active attack

Malicious actors were exploiting a bug in the MSIX ms-appinstaller protocol handler to inject malware like Emotet and Trickbot

Microsoft announced last week that it has disabled the MSIX ms-appinstaller protocol handler after discovering that the program was being actively exploited by malicious actors to install unwanted apps.

The change will help stop the spread of malware and other typical threats that target Windows users, the company said in a blog post.

Microsoft says it was recently notified that malicious actors could exploit a security vulnerability in MSIX ms-appinstaller protocol handler to "spoof App Installer" and install a package that the user had no intention of installing on their machine.

The vulnerability, which is being tracked as CVE-2021-43890, was first disclosed by Microsoft in its December 2021 Patch Tuesday update.

According to Microsoft, MSIX brings a "modern packaging experience" to legacy Windows apps.

"The MSIX package format preserves the functionality of existing app packages and/or install files in addition to enabling new, modern packaging and deployment features to Win32, WPF, and Windows Forms apps," Microsoft notes.

The MSIX ms-appinstaller protocol handler is a feature that enables Windows users to install a Windows app without having to download a complete MSIX package.

Many developers used it to allow users to install apps directly from a web server.

Microsoft indicated in its post that malicious actors were spoofing AppX installer to inject malware like Trickbot, Emotet, and Bazaloader.

Disabling the ms-appinstaller protocol means users now cannot use the App Installer to install an app directly from a web server.

Instead, they must first download the app to their system and then use App Installer to install the package.

"This may increase the download size for some packages," according to Microsoft.

The company said it was actively working to address the flaw.

In a related news, Microsoft said this week that it has patched a known bug that caused apps using Microsoft .NET to experience issues when acquiring or configuring Active Directory Forest Trust Information.

The bug emerged following the release of January 2022 Patch Tuesday updates.

"After installing updates released January 11, 2022 or later, apps using Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information might fail, close, or you might receive an error from the app or Windows. You might also receive an access violation (0xc0000005) error. Note for developers: Affected apps use the System.DirectoryServices API," Microsoft explained.

The company said its out-of-band updates address the issue on machines running Windows Server 2022, 2019 and 2016.

Customers using other impacted versions of the .NET Framework or Windows are expected to receive an emergency fix "in the coming days".